Today, with the breakthroughs achieved by machine learning one after another, more and more companies start to apply machine learning in their various security solutions, e.g., anomaly detection, risk management. However, these works either focus on proposing new algorithms or just discovering new application scenarios.
Little has been said about the gap between the results of machine leaning and the budget of security operations, which in fact is a critical issue in practice. For example, feeding 100 million test cases into a model with false positive rate as low as 0.1% will also produce 100,000 false alarms. Obviously, it is almost impossible for security operations center (SOC) to handle such a large number of alerts. So, how to bridge the gap and make machine learning better assist security operations?
In this talk, we will first show the challenges when applying machine learning in security area, especially in intrusion detection. Then, we will present state-of-the-art security operation techniques and also discuss their limitations when handling the results of machine learning. Next, we will introduce the main idea to bridge the gap, as well as several concrete strategies, e.g., combining with behavior analysis, feature based sorting, accumulation risk, knowledge graph, and etc. Finally, several corresponding best practices in Alibaba Group will be demonstrated.